Trend Micro RootkitBuster 1.6
One of the things I've always liked about Trend Micro is how they make bits of their commercial products available as freebies. If you've been smacked with a virus, you can use their online antivirus engine to do a scan-and-clean. The same goes for rootkits: Trend Micro has excerpted the rootkit-detection technology from its commercial Internet Security 2007 product and made it available as a standalone tool. Documentation is essentially nonexistent and it's very hard to tell how regularly the product has been updated, but I suspect that goes hand-in-hand with it being a freebie.

Trend Micro's RootkitBuster doesn't have many options, but its scanning engine is thorough. (Click image to enlarge.)

Simple as it is, RootkitBuster actually doesn't do a bad job. The program runs as-is (no installation needed) and scans five areas: file system, Registry, running processes, drivers, and any operating system-level service hooks. The results are automatically exported to a log file, and if anything's detected you can opt to have it deleted (with a forced reboot afterward to insure deletion).

		Six Rootkit Detectors
		•  Introduction •  F-Secure BlackLight •  IceSword •  RKDetector •  RootkitBuster •  RootkitRevealer •  Rootkit Unhooker •  Conclusions

For some reason, RootkitBuster doesn't scan the service-hooks list by default, but the option to control this is presented to the user in the program's one-and-only interface, so it's not a big deal. (I suspect this was done to cut down on the amount of scanning time, since most rootkits will manifest in one of the other four categories anyway.)

The application also scans a bit faster than some of the others here, but the amount of information about the detected problems is skimpy compared with, say, what IceSword or Rootkit Unhooker provides. RootkitBuster does do a good job of detecting and cleaning, though — it caught processes hidden by the Fu rootkit, and found the other two test rootkits quite completely. All three were cleaned up nicely by the program with little more than a click of a button and a restart. It's not clear if RootkitBuster has measures to defend itself against subversion by a rootkit that's aware of it, however.